diff --git a/config/install/tfa.settings.yml b/config/install/tfa.settings.yml index f82ba91..606597a 100644 --- a/config/install/tfa.settings.yml +++ b/config/install/tfa.settings.yml @@ -1,6 +1,7 @@ langcode: en enabled: false required_roles: { } +forced: 0 send_plugins: { } login_plugins: { } default_validation_plugin: '' diff --git a/config/schema/tfa.schema.yml b/config/schema/tfa.schema.yml index 53cb3db..c22c864 100644 --- a/config/schema/tfa.schema.yml +++ b/config/schema/tfa.schema.yml @@ -11,6 +11,9 @@ tfa.settings: sequence: type: string label: 'Role' + forced: + type: integer + label: 'Force required roles to setup when' send_plugins: type: sequence label: 'Enabled send plugins' diff --git a/src/Form/SettingsForm.php b/src/Form/SettingsForm.php index cb6ec38..64aa978 100644 --- a/src/Form/SettingsForm.php +++ b/src/Form/SettingsForm.php @@ -143,6 +143,14 @@ class SettingsForm extends ConfigFormBase { '#required' => FALSE, ]; + $form['tfa_forced'] = [ + '#type' => 'checkbox', + '#title' => $this->t('Force TFA setup'), + '#default_value' => $config->get('forced'), + '#description' => $this->t('Force TFA setup on login, redirect user to FTA overview page.'), + '#states' => $enabled_state, + ]; + $form['tfa_allowed_validation_plugins'] = [ '#type' => 'checkboxes', '#title' => $this->t('Allowed Validation plugins'), @@ -231,7 +239,14 @@ class SettingsForm extends ConfigFormBase { '#min' => 0, '#max' => 99, '#size' => 2, - '#states' => $enabled_state, + '#states' => [ + 'visible' => [ + [ + ':input[name="tfa_enabled"]' => ['checked' => TRUE], + ':input[name="tfa_forced"]' => ['checked' => FALSE], + ], + ], + ], '#required' => TRUE, ]; @@ -431,6 +446,7 @@ class SettingsForm extends ConfigFormBase { $this->config('tfa.settings') ->set('enabled', $form_state->getValue('tfa_enabled')) ->set('required_roles', $form_state->getValue('tfa_required_roles')) + ->set('forced', $form_state->getValue('tfa_forced')) ->set('send_plugins', array_filter($send_plugins)) ->set('login_plugins', array_filter($login_plugins)) ->set('login_plugin_settings', $form_state->getValue('login_plugin_settings')) diff --git a/src/Form/TfaLoginForm.php b/src/Form/TfaLoginForm.php index 08fd712..c448675 100644 --- a/src/Form/TfaLoginForm.php +++ b/src/Form/TfaLoginForm.php @@ -143,9 +143,15 @@ class TfaLoginForm extends UserLoginForm { * The state of the login form. */ protected function loginWithoutTfa(FormStateInterface $form_state) { + if ($this->forceTFASetup()) { + $this->doUserLogin(); + return; + } + // User may be able to skip TFA, depending on module settings and number of // prior attempts. $remaining = $this->remainingSkips(); + if ($remaining) { $user = $this->getUser(); $tfa_setup_link = Url::fromRoute('tfa.overview', [ @@ -161,12 +167,12 @@ class TfaLoginForm extends UserLoginForm { $this->hasSkipped(); $this->doUserLogin(); $form_state->setRedirect(''); + return; } - else { - $message = $this->config('tfa.settings')->get('help_text'); - $this->messenger()->addError($message); - $this->logger('tfa')->notice('@name has no more remaining attempts for bypassing the second authentication factor.', ['@name' => $this->getUser()->getAccountName()]); - } + + $message = $this->config('tfa.settings')->get('help_text'); + $this->messenger()->addError($message); + $this->logger('tfa')->notice('@name has no more remaining attempts for bypassing the second authentication factor.', ['@name' => $this->getUser()->getAccountName()]); } /** diff --git a/src/Form/TfaOverviewForm.php b/src/Form/TfaOverviewForm.php index 99026be..aa61190 100644 --- a/src/Form/TfaOverviewForm.php +++ b/src/Form/TfaOverviewForm.php @@ -159,13 +159,15 @@ class TfaOverviewForm extends FormBase { } } - $output['validation_skip_status'] = [ - '#type' => 'markup', - '#markup' => '

' . $this->t('Number of times validation skipped: @skipped of @limit', [ - '@skipped' => $user_tfa['validation_skipped'] ?? 0, - '@limit' => $config->get('validation_skip'), - ]) . '

', - ]; + if (!$config->get('forced')) { + $output['validation_skip_status'] = [ + '#type' => 'markup', + '#markup' => '

' . $this->t('Number of times validation skipped: @skipped of @limit', [ + '@skipped' => $user_tfa['validation_skipped'] ?? 0, + '@limit' => $config->get('validation_skip'), + ]) . '

', + ]; + } } else { $output['disabled'] = [ diff --git a/src/TfaLoginContextTrait.php b/src/TfaLoginContextTrait.php index 342c1c9..d944fa4 100644 --- a/src/TfaLoginContextTrait.php +++ b/src/TfaLoginContextTrait.php @@ -84,6 +84,17 @@ trait TfaLoginContextTrait { return empty(array_intersect($required_roles, $this->user->getRoles())); } + /** + * Should we force TFA setup? + * + * @return bool + * TRUE if TFA is enabled and there are no remaining skips left. + */ + public function forceTFASetup(): bool { + return !$this->isTfaDisabled() + && $this->tfaSettings->get('forced'); + } + /** * Check whether the Validation Plugin is set and ready for use. * diff --git a/tfa.services.yml b/tfa.services.yml index 7d56d23..69c3a6e 100644 --- a/tfa.services.yml +++ b/tfa.services.yml @@ -8,3 +8,8 @@ services: class: Drupal\tfa\Routing\TfaRouteSubscriber tags: - { name: event_subscriber } + tfa.force_setup: + class: Drupal\tfa\EventSubscriber\ForceTfaSetup + arguments: ['@current_route_match', '@messenger', '@current_user', '@config.factory', '@entity_type.manager', '@user.data', '@plugin.manager.tfa'] + tags: + - { name: event_subscriber }